top | item 16518243

(no title)

mziel | 8 years ago

You can read more about the cookie law here: https://www.cookielaw.org/the-cookie-law/

Basically EU wanted sites to obtain consent to use users' cookies (and for the users to give/take away that consent). However, pretty much all the sites just decided to provide you with a banner saying something like "if you're using this site you agree to our cookie policy". Therefore the law became ineffective and just a nuisance to the users.

This notion of "implied consent" is being actively fought with GDPR. You have to provide explicit consent to the usage of your data. And more importantly you can revoke it (at any point) and the site can't deny or degrade the service (unless the data is strictly necessary for a specific action related to the service).

With ePrivacy this will go one step further. Right now you only need to provide opt-out, which means most people will likely leave it as it. Going forward those additional services (marketing purposes, ad tracking) will need to be strictly opt-in (and there's already internal research done in some companies showing that marketing/ad opt-in rates will be 10-12% at best).

discuss

askvictor|8 years ago

But what's the alternative approach to the cookie law? A yes/no consent page before your site, and if you click no, the user doesn't get to access it? Because that's basically the same thing, but even more annoying.

tgsovlerkhgsel|8 years ago

If you click no, a single, non-tracking cookie (i.e. "optout=true", not a session ID) is set, and you get to use the parts of the web site that don't require cookies to function (which, for 99% of the cookie banners I've seen, is all I wanted).

Furthermore, if I remember correctly, no explicit consent is required where the cookie has to be used for features the user requested, like a shopping cart.

So, if the law was actually written to require what it was supposed to require, and actually enforced, a web site operator would have the options to either:

a) implement an opt-out globally across the entire site to ensure no part sets a cookie and doesn't track them, with a high risk if you get it wrong, annoy every visitor with a modal yes/no before letting them onto the site (which would hurt your conversion rates etc.), where the "no" would be a meaningful choice that would still let them use your site, and there would be very little incentive for the user to click yes

b) stop tracking users unnecessarily in general

As it is written, the options are:

a) implement an opt-out globally across the entire site to ensure that no part sets a cookie and doesn't track the users, with a high risk if you get it wrong

b) slap an annoying banner on your web site

One of these options is significantly less work and allows you to keep tracking users, so guess what gets done.

haeffin|8 years ago

Which is why there is the "And more importantly you can revoke it (at any point) and the site can't deny or degrade the service (unless the data is strictly necessary for a specific action related to the service)." point - you're not allowed to deny access to a newspaper article if somebody does not consent.

xg15|8 years ago

Not tracking users.

From what I understand, the GDPR also disallows denying users access to a site if they don't consent to an unrelated data collection.

kuschku|8 years ago

Websites in the Netherlands (and German public broadcasters) already follow the original ideal:

Before accessing the website, you get a choice between yes and no.

If you select no, the site will not do any tracking, no analytics — some sites disable ads in that case entirely. You still get to access the site.

If you select yes, you getthe tracking.

unknown|8 years ago

[deleted]

whyever|8 years ago

No, you could outlaw degrading functionality, which is what they are doing in the new law.

a_imho|8 years ago

IMO the cookie law was good and (ianal) but a banner in your face is not consent, not in an opt-in way at least.

vageli|8 years ago

If you're made aware of the terms and can choose to leave, that's pretty much consent. Do you sign a paper agreeing to all the terms when you enter a car park? Of course not! It's a class of contracts called contracts of adhesion. [0]

[0]: https://en.m.wikipedia.org/wiki/Standard_form_contract

iagovar|8 years ago

But op-int for what? For being tracked? Using you data? Just showing you an ad?

mziel|8 years ago

You're supposed to enumerate all uses of the data (and they need to be sufficiently detailed and specific). The user has a choice to opt-in/out of each of them separately.

There is currently no detailed description as to what the definition of "sufficiently" is. For example:

- can I use your data to build a targeting machine learning model?

- can I use it to target you?

- do I need specific opt-in for every model?

Most things in GDPR are not specified in order to both give flexibility to the sites and to reduce the number of loopholes (which are technically legal but against the spirit of the law). You need to decide on the implementation and be ready to defend it in case of an audit.